cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java

Tue, 21 Aug 2001 12:14:19 -0700 

craigmcc    01/08/21 12:35:36

  Modified:    catalina/src/share/org/apache/catalina/core
                        StandardServer.java
  Log:
  Strengthen the previous fix (that avoids a DoS attack) by not exposing the
  length of the shutdown command password to an attacker.  Thanks to Justin
  Erenkrantz <[EMAIL PROTECTED]> for pointing this out.
  
  Also, modify the server socket to *only* accept connections from the local
  host, rather than accepting all connections and filtering out
  non-localhost ones later.
  
  Revision  Changes    Path
  1.9       +10 -6     
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java
  
  Index: StandardServer.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- StandardServer.java       2001/08/21 18:51:52     1.8
  +++ StandardServer.java       2001/08/21 19:35:36     1.9
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
 1.8 2001/08/21 18:51:52 craigmcc Exp $
  - * $Revision: 1.8 $
  - * $Date: 2001/08/21 18:51:52 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
 1.9 2001/08/21 19:35:36 craigmcc Exp $
  + * $Revision: 1.9 $
  + * $Date: 2001/08/21 19:35:36 $
    *
    * ====================================================================
    *
  @@ -87,7 +87,7 @@
    * (but not required) when deploying and starting Catalina.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.8 $ $Date: 2001/08/21 18:51:52 $
  + * @version $Revision: 1.9 $ $Date: 2001/08/21 19:35:36 $
    */
   
   public final class StandardServer
  @@ -250,7 +250,9 @@
           // Set up a server socket to wait on
           ServerSocket serverSocket = null;
           try {
  -            serverSocket = new ServerSocket(port, 1);
  +            serverSocket =
  +                new ServerSocket(port, 1,
  +                                 InetAddress.getByName("127.0.0.1"));
           } catch (IOException e) {
               System.err.println("StandardServer.await: create: " + e);
               e.printStackTrace();
  @@ -291,7 +293,9 @@
   
               // Read a set of characters from the socket
               StringBuffer command = new StringBuffer();
  -            int expected = shutdown.length();
  +            int expected = 1024; // Cut off to avoid DoS attack
  +            while (expected < shutdown.length())
  +                expected += 1024;
               while (expected > 0) {
                   int ch = -1;
                   try {

Reply via email to